Data Processing Addendum
(Last Updated: 8 August 2025)
This Data Processing Addendum (“DPA”) forms part of the Terms & Conditions or other written
agreement (“Agreement”) between Wewe Media Group Pte Ltd (“Wewe Media”) and the entity or
person identified as the “Client” (“Client”), each a “Party” and together the “Parties.”

1. Purpose and Scope
1.1 This DPA reflects the Parties’ agreement on the processing of Personal Data in connection with the
Services, in compliance with:
– EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”)
– UK GDPR and UK Data Protection Act 2018
– California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
– Personal Information Protection and Electronic Documents Act (PIPEDA – Canada)
– Singapore Personal Data Protection Act 2012 (PDPA)
– Any other applicable privacy and data protection laws worldwide
1.2 This DPA prevails over conflicting terms in the Agreement, except where otherwise agreed in
writing.

2. Definitions
Terms such as “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,”
“Sub-Processor,” and “Supervisory Authority” shall have the meanings given under Applicable
Data Protection Laws.

3. Roles of the Parties
3.1 The Parties acknowledge and agree that:
– Controller–Processor Relationship: Client is the “Controller” and Wewe Media is the “Processor”
(or “Sub-Processor” where Client acts as Processor for a third-party controller).
– Processor–Sub-Processor Relationship: Where Wewe Media engages third parties to process Personal
Data, such parties are “Sub-Processors.”

4. Processing Instructions
4.1 Wewe Media shall process Personal Data only on documented instructions from the Client,
including with respect to transfers of Personal Data to a third country, unless required by law.
4.2 If Wewe Media is required by applicable law to process Personal Data without the Client’s
instructions, Wewe Media shall notify the Client before processing (unless prohibited by law).

5. Data Subject Rights
Wewe Media shall assist Client, insofar as this is possible, to respond to requests from Data Subjects
exercising their rights under Applicable Data Protection Laws (e.g., access, correction, deletion,
objection, portability).

6. Security
Wewe Media shall implement and maintain appropriate Technical and Organisational Measures
(“TOMs”) to protect Personal Data against accidental or unlawful destruction, loss, alteration,
unauthorised disclosure, or access, as described in Annex 2.

7. Sub-Processors
7.1 Client authorises Wewe Media to engage Sub-Processors for the provision of Services.
7.2 Wewe Media shall impose written terms on all Sub-Processors ensuring at least the same level of
protection for Personal Data as required by this DPA.
7.3 Wewe Media shall make available to the Client, upon written request, an up-to-date list of
Sub-Processors engaged in the processing of Personal Data. Such disclosure shall be made under
appropriate confidentiality obligations.

8. International Transfers
8.1 Where Personal Data is transferred outside its originating jurisdiction, Wewe Media shall ensure
such transfers are made in compliance with Applicable Data Protection Laws.
8.2 For transfers from the EEA, UK, or Switzerland, the Standard Contractual Clauses (SCCs) in Annex
3 shall apply.

9. Data Breach Notification
Wewe Media shall notify Client without undue delay upon becoming aware of a Personal Data Breach,
providing sufficient details to enable the Client to comply with its own legal obligations.

10. Deletion or Return of Data
Upon termination of Services, Wewe Media shall, at Client’s choice, delete or return all Personal Data
(unless retention is required by law).

11. Audits
Upon reasonable notice and no more than once per year, Client may audit Wewe Media’s compliance
with this DPA, either through a third-party auditor or by reviewing documentation provided by Wewe
Media.

12. Liability
Liability under this DPA is subject to the limitations and exclusions set out in the Agreement, except
where prohibited by Applicable Data Protection Laws.

13. Governing Law
This DPA is governed by the laws set out in the Agreement, except where Applicable Data Protection
Laws require otherwise.

Annex 1 – Processing Details
Subject Matter: Provision of the Services under the Agreement.
Nature and Purpose: Digital marketing, advertising campaign management, affiliate marketing, lead
generation, analytics, and related activities.
Types of Personal Data: Names, email addresses, contact details, online identifiers, IP addresses, device
information, tracking data, and any other Personal Data provided by Client.
Categories of Data Subjects: End users, customers, affiliates, employees, contractors of Client.
Duration: For the term of the Agreement plus any legally required retention period.

Annex 2 – Technical and Organisational Measures
Examples include:
– Encryption in transit and at rest
– Access control and authentication
– Network security and firewalls
– Regular security testing and vulnerability scans
– Incident response procedures
– Data minimisation practices

Annex 3 – Standard Contractual Clauses (SCCs)
The SCCs approved by the European Commission (Decision 2021/914/EU) and UK International Data
Transfer Addendum are incorporated herein by reference for transfers of Personal Data to third countries
not recognised as providing adequate protection.

Final Provision
This DPA is entered into and becomes legally binding upon acceptance of the Terms & Conditions
incorporating it by reference.